> tried running the FileMon.exe example against my System process (PID: 4)
This won't work at all... And I also don't see the need of hooking this process. I am not sure whether you can get this working even with pure unmanaged injection and DLLs...
The managed API will try this automatically.
> Can this be done, or will this require an unmanaged injection library, or a kernel-mode driver?
If you want to hook the whole system, a kernel mode driver is the only stable way of doing so...
> I want to be able to hook CreateFile() (via System process) and get the underlying thread impersonation token to identify the user for each
You want to hook system wide?
The impersonation token might be indirectly accessible through "WindowsIdentity" or something like that. just look it up in the MSDN. To access the native token you probably need a C++.NET
Dll which exports the required unmanaged code to managed classes...
> I don't see any way to do this in a managed fashion. Is this possible with EasyHook?
System wide is only possible with the easyhook kernel driver...
Managed injection is truely no option for doing anything system wide. Even umanaged injection is also no real option even it might be more successful...